I just wrote an OT post to my personal blog about the CCC Camp, but I figured it was a security camp after all, so I will link to myself here:

http://gevron.livejournal.com/8859.html

I was giving a lecture at NPS yesterday, and while I was unlocking my laptop (XP), suddently, before unlocked, a File Open window pops up. I could browse, and more importantly, open files. The first choice of the system was .hlp.

Can someone say pwnage? Anyone up to doing some monkey fuzzing on that interface?

Gadi Evron,
ge@linuxbox.org.

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And - reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm - time to wear my white T-shirt with text familiar to many readers - “Most people don’t even know what a rootkit is, so why should they care about it?”

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version 3.5.0.214 out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too!

When putting together all six updates of IP address listings released at Cryptome.org it appears that National Security Agency knows very well what is happening in cables of companies, which are very familiar to us.
The newest August update Latest Updated NSA-Affiliated IP Resources 6 includes the following ISP’s and organizations: 3G Mobile, AT&T, Akamai Technologies, Amazon, Apple, Deutsche Telekom, eBay, Google, Microsoft, MySpace.com, Qwest, and Xerox Research Center.

From Tokyo Japan,the listing knows NTT Communications Corp., from Warszawa, Poland Netia Telekom, from Stockholm, Sweden and Helsinki, Finland TeliaSonera and from Vaasa, Finland VLP.
As always, Mr. John Young doesn’t disclose his sources.

Some of the spam e-mails in my Inbox today are really funny, when looking the basic information of the messages.

From: Isabelle Hammer

Subject: Re[05]: Ciaaaaaaliiis Viaaaaaagraaa Leeeeeevitra. Preise die keine Konkurrenz kennen
Message body: Hallo , jonleht !Meinung von unserem Kunden:
Ich nehme jedes Mal 10 mg….

Why the sender’s name differs from the visible name, why they are fighting against spam filters with thooose terrible wooords, why they send German language spam to Finland, why they call me jonleht - again?

Hey, we saw these non-working methods hundreds of times already!

When looking into this week’s Redmond patches there was a critical patch for Vector Markup Language component Vgx.dll - again.
The newest flaw exists in handling of compressed content and it’s heap overflow type vulnerability. The issue was discovered by Mr. Derek Soeder of eEye Digital Security.

Most of us remember the VML 0-day case in September ‘06. ZERT released a 3rd party fix and Microsoft pushed out their official update before the monthly September bulletins. Details about the vulnerability and the case can be found from my Windows VML Vulnerability FAQ (CVE-2006-4868] document.

The reporting timelines of three newest VML issues below:

#1: fill method buffer overflow - Vgx.dll
18-Sep-06 Sunbelt Software contacted the vendor
Person who discovered this 0-day flaw is not known
25-Sep-06 MS06-055 is out

#2: Recolorinfo integer overflow - Vgx.dll
03-Oct-06 Vendor was contacted by iDefense
09-Jan-07 MS07-004 is out

#3: Compressed content heap overflow - Vgx.dll
24-Oct-06 Vendor was contacted by eEye
14-Aug-07 MS07-050 is out

Related to issue #2 Microsoft stated the following:

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes.

The fact is that Microsoft was aware of the latest vulnerability, i.e. issue #3 almost ten months.

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

Mr. Stefan Esser of Hardened-PHP Project has informed that exploit codes of Month of PHP Bugs are not part of his Web site any more.

The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in.

This list includes PoC exploits too, sees Mr. Esser.
But we know that The Internet remembers many things.

About a month back it was SecuriTeam Blogs birthday, and I have been meaning to write something about this for a while now. As we all know though, when we actually get around to doing the things that we want to, is usually an entirely different story.

I was going to write about my favourite article over the last year, but to be honest, I can’t think of an article that I didn’t enjoy either reading or writing on here, so this post is going to be a little bit different.

I’ve seen the statistics of how many returning visitors we have coming to this site on a daily basis and how many new and unique visitors we got in the last year, and all that I can honestly say is WOW! The numbers were huge, so I guess between all the bloggers on here, we must be doing something right, whether that’s writing about the latest Virus that’s doing the rounds, hiring penetration testers, botnets or running IE7 on Linux.

I think that all the bloggers that write for SecuriTeam will agree with me on this one, we’re not going to stop writing these stories, as we enjoy writing them, probably as much as you enjoy reading them. Hopefully in time the quality of our stories will exceed the levels that they’re at now, and we’ll find even more interesting things to write about. I think that in this ever evolving world that we call security, that’s really not going to be too difficult to do, and all of us on here are probably writing way to many reports anyway, so that always helps to keep the writing interesting.

So to end this post, I’d like to say a big thank you to all our readers, as you’re the people that keep this site going, we just write the articles, if it wasn’t for you, this site probably wouldn’t exist. If there are any issues that you’d like covered in the future, let us know, and we’ll do our best to oblige.

Finally after years of receiving it I tried to buy something out of the spam I got, but damn it is difficult, and who is to blame? the spam killers - filters, finders and removers, because of them I can no longer read what the spammer is actually trying to sell me even worse when I do call the guy up he is so amazed to hear someone call him that he asks me to call again as he is in his car - kudos to lev here .

Here is a sample of what I mean:

Subject: The MFC library shipping with Visual C++ 4.

Body:

u){e} [N](e)[w][s] To I^mpact {C}{V}
C^hina You.TV {C}{r}

(.)
Sym*bol: [C]{T}[V]
We (a)(v) alre-ady {s}[e]{n} CYT+V’s m,arket i+mpact befor#e climbi_n.g to {o}[v][r] $2^.00 {w}{i}(t){h} (n)[e][s]< .>
P^ress Relea`se:
C-hina YouTV’_s Cn^Boo {e} (S){i}[t][e] R+anks [N][o]< .>[1] on M.icr*osoft {i}{v}[e] S+earch E-ngine
CnBo*o Traff.ic Increa,se*s [4]<9>< %> {O}[v] (T)(o) M+onths
{R}[a][d] [t][h](e) ne.ws, th_ink a*bout {t}(h)(e) impa`ct, and
{j}(u)

on {h}{i}(s) f+irst thin`g Tomo#r+row m^*orning! $0*.42 is a (g)(i)[f][t] at (t)[h]{s} pr_#ice…..
Do (y)[o][u] homew+or-k (n)(d) w_atch (t){h}{i}(s) tra*de Mo,nday mo,rning.

What is this? I can’t read this! even if I tried I wouldn’t spend so much time trying to read it, as I don’t spend much time reading other types of perfectly legal advertisements .

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” - Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip - once - and search for something which is personal - a name of someone you know, your home address in Google maps, a nearby store, your email address - and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services - I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google - let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

Window Snyder, the head of security strategy at Mozilla Corporation wrote this week about the Opera’s way to use Mozilla’s fuzzer for JavaScript. Mrs. Snyder is pointing to the post of Claudio Santambrogio from Opera Software:

While running the tool, we found four crashers - one of which might have some security implications.

When we are reading news like this from Microsoft and Apple?

This has to be the ZZZest (sleep for those that didn’t get the idea) post of the month, a guy called Hamachiya found a vulnerability that crashes IE 7 and IE6, no big news here - aren’t there a few or even few dozen such vulnerabilities already?, still for no obvious reason but the fact that he wrote it in Japanese it got Slashdot headlines.

Am I missing something or is this part of the “no-news week, therefore we take anything that looks remotely interesting”?

Judging from this ad life is good, before we had a lot of security issues, now with Hardware on our side of the battle for complete security, everything is ok